Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

No prompt for password change for VPN client authenticate using ACS local DB

I'm setting up VPN authentication using ACS 5.1 and ASA 8.0.5. User connects using Cisco VPN client, and is authenticated to Internal users db on ACS. Everything works, except that if "Change password on next login" is checked for a user, the login will fail. The Radius log on ACS says user need to change password. However it didn't prompt for the password change. I know there must be a simple option either in VPN client profile or ini file, or on ASA tunnel group definition. However I tried several options, still couldn't make it work. Does anyone know?

Thanks,

Tao

  • AAA Identity and NAC
7 REPLIES
New Member

Re: No prompt for password change for VPN client authenticate us

I believe the change password a next logon will only work if user logs into a device using telnet.

New Member

Re: No prompt for password change for VPN client authenticate us

Can someone from Cisco confirm if this is the case? Hard to believe that this won't work.

Thanks,

Tao

New Member

Re: No prompt for password change for VPN client authenticate us

I also stuck with the same issue and have no idea how to encourage user to change their password. Please share if you have any clue.

Thanks.

PK,

New Member

Re: No prompt for password change for VPN client authenticate us

Hi all, I'm having this same issue, is there any way to make users change their passwords via a prompt in the vpn client, Im using ASA 8.2 and ACS 4.2.

A response from Cisco would be appreciate.

Thanks

New Member

Re: No prompt for password change for VPN client authenticate us

To make it work, MS-CHAPv2 must be selected in allowed protocol under ACS access policy. And under VPN tunnel group, enable password management. However this does't fix the issue in my case. Because all my other users should be using PAP/ASCII, when MS-CHAPv2 enabled, somehow all authentication would be using MS-CHAPv2 and fail. And I can't think of a way to define two different VPN policies to separate these two type of authenticaton requests.

Cisco Employee

Re: No prompt for password change for VPN client authenticate us

Password change/management through RADIUS is not supported for users in the local database. Password management to users in external stores is supported, and is documented in CSCsj50218 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj50218).

That being said, while not officially supported, password management to the ACS internal database for VPN users connecting to an ASA is known to work over TACACS on both ACS 4.x and 5.1+.

Steve.

New Member

tunnel-group RA general

tunnel-group RA general-attributes
 authentication-server-group ACS
 password-management

The password-management command changes the behavior so that the ASA is forced to use MSCHAPv2, rather than PAP, in the Radius-Request.

2729
Views
0
Helpful
7
Replies
This widget could not be displayed.